This article was published on January 31, 2019

New macOS malware steals your cookies to swipe your cryptocurrency

I never liked the Cookie Monster


New macOS malware steals your cookies to swipe your cryptocurrency

Update 08:12 UTC, February 1: Original reporting placed MyEtherWallet alongside the affected cryptocurrency exchange services. MyEtherWallet is not a true exchange, it is an interface service for the Ethereum blockchain. MyEtherWallet contacted Hard Fork to clarify that it doesn’t use cookies so won’t be affected by CookieMiner in that sense, however, if you save your passwords in Chrome you may still be vulnerable.


Security researchers from Palo Alto Networks’ Unit 42 have identified a new cryptocurrency stealing malware. What has been dubbed as “CookieMiner,” specifically targets Mac users and the cookies related to their logon credentials for cryptocurrency exchanges like Coinbase, Binance, Poloniex, Bittrex, Bitstamp, and Ethereum blockchain service, MyEtherWallet.

There be gold in them cookies

The new malware was uncovered after examining the infamous OSX.DarthMiner which surfaced late last year.

“It sparked our interest as it was a new variant with additional functionality,” Jen Miller-Osborn, deputy director of threat intelligence at Unit 42, told Hard Fork.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

It also attempts to steal passwords saved in Chrome, and text messages stored in iTunes backups. When all this information is in the hands of attackers, it’s quite easy for them to steal cryptocurrency from the victim’s exchange accounts.

Having a person’s login credentials usually isn’t enough to gain access to their account if they have 2FA enabled. However, if the hacker has their authentication cookies too, they can use these to make the login attempt appear as if it’s connected to a previously verified session. If so, the website won’t ask for the login attempt to be authenticated.

According to Miller-Osborn, this attack is indicative of old-school malware methods being tweaked for success in the cryptocurrency space.

“There are a lot of coinminers and other malware in the wild and targeting credentials or cookies stored in browsers is not new,” Miller-Osborn added. “Targeting all of these with apparent focus on gaining access to cryptocurrency exchanges and trying to avoid [multi-factor authentication] protections is newer.”

Sneaky sneaky

That’s not all. The malware also installs some coin mining software that uses the victim’s system to mine cryptocurrency without them knowing.

The crypto-jacking software, on the surface, takes a similar form to the XMRIG coin miner which usually mines Monero. But in this case, the miner is configured to mine Koto, a small-time Japanese cryptocurrency. Although Miller-Osborn clarified, “[t]here isn’t enough data to point to who is behind this or where they are located.”

Perhaps Koto was chosen as it’s a privacy coin and can be used to cover the attacker’s tracks. The fact it has ties with Japan might just be something else to try to throw digital forensic researchers off the trail.

Having your cryptocurrency stolen because of some purloined cookies can be avoided.

Miller-Osborn urges people to avoid ever saving credentials or credit card information within their browsers, as it’s a common attack vector for malware like this.

“They should also clear web browser caches regularly, particularly after logging into financial or other sensitive accounts. It’s quick and ensures the data is not within web browsers to steal,” she advised.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with